Some people view vulnerability researchers such as HD Moore as knights in shining armour for their efforts to discover security flaws in software products. Since launching the controversial Metasploit Project in 2003, HD Moore and a group of independent bug hunters have publicly posted information that makes it easier to develop and test code that can be used to attack software vulnerabilities.
Earlier this year, Moore began a Month of Browser Bugs campaign during which he promised to disclose one browser flaw a day for an entire month. More recently, his group released a tool designed to prevent browser exploit code from being detected by signature-based security tools. Supporters of researchers such as Moore argue that their work helps make software more secure. Opponents argue that the only ones being helped are the malicious attackers. In an interview, Moore talked about what he’s doing.
How exactly is the vulnerability research work being done through initiatives such as the Metasploit Project contributing to overall software security?
The Metasploit Project helps raise awareness of software flaws and the impact they can have on an organisation’s security. The availability of tools such as the Metasploit Framework allow anyone to learn more about security and the exploit process in general. Network administrators use the framework to justify patch installations, software developers use it to verify patches in their software, and security analysts use it to perform penetration tests. As more people become aware of software security flaws and their impact on their business, the software vendors will be held to higher standards of product security.
What was the driver for your Month of Browser Bugs initiative earlier this year?
How many bugs were disclosed in total during that one month? I had spent four months developing research and test tools for web browser vulnerabilities. I found over 100 unique flaws across a number of browsers and thought a month-long browser security awareness campaign would put pressure on the developers of these products. For the most part, it worked.
What would you say to opponents of such efforts who argue that the work being done by the Metasploit community and others like it ultimately helps only the bad guys?
There is an immediate short-term benefit to the good guys. Every major security vendor uses the tools developed by the Metasploit Project to test their products. Almost every security consultancy uses Metasploit tools to perform penetration tests and risk assessments. The Metasploit Project puts the “good guys” on an equal footing with the folks who already have the skill to launch these types of attacks on their own.
Some opponents of such research say that many of the flaws that are being discovered by the security research community are obscure and hard-to-exploit flaws that would have remained hidden if security researchers hadn’t gone out looking for them. These folks sound naive. History has shown that many of the worst security flaws were made public only after a bad guy was caught in the act. Some examples include the WMF vulnerability [MS06-001], a heap vulnerability in the widely used “CVS” source management tool and the Apache “chunked encoding” flaw that was eventually published by ISS. When I discover a new vulnerability, I have to assume that someone else found it first.
What about the notion that the bad guys are simply reverse-engineering patches to exploit holes that would have remained hidden if the researchers hadn’t disclosed the flaws?
That is ridiculous, and history has proven otherwise. The tools to quickly reverse-engineer a patch haven’t existed for more than a few years, and the bad guys were just as capable of finding and exploiting bugs at that time.
What’s your opinion on responsible vulnerability disclosure?
There is a myth that “responsible disclosure” means always waiting for a vendor to patch a flaw. That fails to take account of when not disclosing a flaw puts more folks at risk than simply posting the details to a mailing list. I have been reporting vulnerabilities to vendors for nearly ten years and still believe that forcing a vendor’s hand by releasing early is the responsible thing to do under the right conditions.
What is the correct way to report flaws in software products? In other words, how much time should vendors be given to respond to such disclosures? Is full disclosure necessary in all cases?
It depends on the vendor, how fast they respond and whether I am the only one that knows about a given vulnerability.